Forum: Security Evaluations: Who Watches the Watchers?
Moderator: Jeremy Epstein, SRI International
Common Criteria evaluations are a cost of business for organizations who want to do business with the company, regardless of whether they actually improve the security of the products. However, there are built-in conflicts of interest in how evaluations are performed under the Common Methodology for Information Technology Security Evaluation (CEM). Additionally, issues with composition of components into secure systems can lead to undesirable results - products being certified as secure when they're not. This panel will explore the issues encountered by vendors and some of the solutions being implemented by the US government.